If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: [script] for AV evasion

Can anyone explain to me how to xor obfuscates the shellcode which I can then put in the temp.c that is created in this script. I'm tying to understand how this works so I'm going to try and do it manually, without the script. I know it's outdated but can anyone explain it to me??

Re: [script] for AV evasion

I haven't really looked at the script in-depth for what it does, but I can tell you basically what's going on from my CTP experience with code-caving. Using this to generate exe's, as pointed out above, is not advisable, it's much better to code-cave something yourself. Look online for in-depth tutorials, but here's the gist. Take a program and open it in a debugger. Find an empty section or create your own, and replace the first few instructions with a jump to the empty section, saving the first few instructions, the value in ESP, and the start address in notepad or whatever. MAKE SURE TO SAVE ALL ADDRESSES! Then, generate your shellcode using MSF and paste it in the exe at around 100 bytes past your jump point for ample space to play around. Here's where XOR encoding comes in. Since the shellcode is analyzed by every AV, you must turn it into something that the AV can't recognize. By far the easiest way is XOR encoding, since double XOR Encoding returns the original shellcode. The way to do that is to write an XOR loop. The easiest XOR loop is a one byte jmp, but I prefer a 4-byte jump with a variable key if it's slightly harder to configure.
So now your program looks like this:

Now here's how to program an XOR loop. Basically, from the start of the shellcode until the end: XOR the shellcode with the key, then INCREMENT or ADD 4 to EAX then JMP to XOR LOOP START until EAX > SHELLCODE LAST MEM ADDRESS

Assume 0001 is the start address of the shellcode for simplicity, and 00ff is the end of the shellcode
Also assume that 1000 is the start address of the encoder. Our loop now looks like this:

That basically does all I described. At this point, place a breakpoint at the end of the encoding loop then let it run, and save all the changed shellcode in the file. Tehn, when you rerun the program, the encoding loop decodes it, and runs the shellcode normally. This will hopefully change the shellcode enough for it to be unrecognizable to any AV's. I hope this helps.

World Domination is such an ugly phrase. I prefer the term World Optimization.